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Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 GFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )IEI Responsive to communication(s) filed on 23 February 2011 . 
2a)^ This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) |EI Claim(s) 1-22,25,27-34,36,40,41 and 43-46 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) KI Claim(s) 1-22.25.27-34.36.40.41 and 43-46 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

11) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)DAII b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. Q Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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3) □ Information Disclosure Statement(s) (PTO/SB/08) 5 ) □ Notice of Informal Patent Application 

Paper No(s)/Mail Date . 6) □ Other: . 
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Detailed Action 
Response to Arguments 

In response to applicant's arguments pertaining to the 101 rejections of the previous action, said 
101 rejections have been withdrawn. 

In response to applicants arguments pertaining to the 112 rejection of the previous action, 
applicant's arguments are not persuasive. Applicant argues the original claim provides support for 
performing a security check on each access operation because the claim comprises a method wherein 
the steps of performing a security check and permitting an access operation are described. While this 
may be true, the steps are independent of each other and therefore it cannot be concluded that the 
permitting of an access operation is dependent on the security check. Further, it is unclear whether a 
security check is required for permitting an access operation. 

Applicant's arguments pertaining to the art rejections, specific to Ballantyne not teaching "storing, 
in an audit memory, access data information and access operation together with the user signature and 
the at least one role signature specific for each access operation" are not persuasive. 

Ballantyne does not specifically cite that the information is stored in an "audit memory". But 
Ballantyne teaches that "access is only granted to authorized users of which the library software 
automatically audits all users' access". Users' access are made available to patients on a monthly 
statement illustrating who has accessed their health records. It is clear from this that not only are records 
kept of the individual accesses, the information must be stored in some kind of memory so that it can later 
be made available to patients. It is further clear from this that when an access is recorded, the name as 
well as the role of the person accessing the data must be recorded. It would be unreasonable to say that 
just a doctor or a nurse's name is recorded because a patient may not know what position or role an 
accessor has just by their name. Clearly a position or role must be audited with the name of the person. 
Ballantyne even cites that information regarding professional status, qualifications, and necessity to 
access are gathered. 
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Applicant also argues that the combined references do not teach wherein the at least one role 
signature is a plurality of role signatures. Examiner respectfully disagrees. Ballantyne teaches, for 
example, physician and nurses are role signatures. Each of these signatures is assignable to a plurality 
of users. Each of these signatures identifies a different activity group (those able to view data, those able 
to modify data, etc.) 

Claim Rejections - 35 USC §112 

1 . The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

2. Claims 1 , 9 and 29 are rejected under 35 U.S.C. 1 1 2, first paragraph, as failing to comply with the 
enablement requirement. The claim(s) contains subject matter which was not described in the 
specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most 
nearly connected, to make and/or use the invention. Said claims recite the limitation, "performing a 
security check upon each access operation." Applicant's specification does not show this and further 
cites that only one security check is performed. Appropriate correction is required. 

Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
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invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 1 -22, 25, 27-34, 36, 40-41 , 43-46 are rejected under 35 U.S.C. 1 03(a) as 
being unpatentable over Khidekel (US PGP No. 20010027527) and further in view of 
Ballantyne (US Patent No. 5867821). 
As per claims 1, 9, 16, 29 and 40, Khidekel teaches: 

A method for signing access operations to electronic data, comprising: 

performing a security check upon each access operation in order to ascertain the identity of a user; 

[see paragraph 0029] "The user can be authenticated based on the user's credentials" 

[see paragraph 35, wherein upon receiving the token, the secure server validates the token by 

comparing the difference between the current time and the authentication time to the predefined 

threshold to make sure a duration of time has not expired. It is clear from this that each access 

operation must be logged and a security check performed because if each access is not logged, 

there would be an error in the duration of time since the last access operation that was not 

logged. 

assigning a user signature, identifying the user, on the basis of the performed security check without 
being viewable by the user; 

[see paragraph 0034] "Token" 

assigning a t least one role signature, each role signature being assignable to a plurality of users, on the 
basis of the performed security check without being viewable by the user; and 

[see paragraph 0039] ". . . business rules that indicate which users are authorized to take various 
types of actions..." 

signing each access operation to electronic data by specifying the user signature and the role signature; 
and 

[see paragraph 0034-0035] 



The Khidekel reference is mute in teaching the following limitations: 

recording each access operation and the user signature and the at least one role signature specified for 
each access operation. 

[see col. 8, lines 54-64, wherein all user accesses are documented.] it would have been obvious 
to one of ordinary skill in the art to modify the Khidekel reference to include this limitation taught 
by Ballantyne so that patients can request logs of who accessed their logs and when.] 



wherein each access operation is recorded in an audit memory, 
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the user signature is recorded in the audit memory, and 

the at least one role signature is recorded in the audit memory. 

For the above limitations, examiner relies upon the Ballantyne reference. Ballantyne teaches at col. 8, 
lines 1-64, auditing user accesses to all the archived electronic health records contained in the master 
library (ML). Examiner views the identification number as analogous to the claimed user signature and 
the personal electronic profile as containing information analogous to the claimed role signature. 
Ballantyne teaches logging of all user actions as well as recording user accesses by ID numbers and 
accompanying user profiles. It would have been obvious to one of ordinary skill in the art to modify the 
Khidekel reference to include archiving of access operations in an audit memory as taught by Ballantyne 
in order to automate data collection and reduce manual collection and storage of user information. This 
in turn would create a more efficient and effective system. 



As per claims 2, 10, and 30, Khidekel teaches: 

The method as claimed in claim 1 , wherein the security check involves biometric data from the user being 
ascertained. 

[see paragraph 0029] 

As per claims 3, 11, 17, and 31, Khidekel teaches: 

The method as claimed in claim 1 , wherein the security check involves reading at least one of an 
electronic and mechanical key. 

[see paragraph 0029, "smartcard"] 
As per claims 4, 12, 18, 19, 25, and 32, Khidekel teaches: 

The method as claimed in claim 1 , wherein the user signature to be assigned is ascertainable on the 
basis of the data ascertained in the security check, by checking a user signature memory. 

[see paragraph 0026, "database 24"] 

As per claims 5, 13, 20, 21, 27, and 33, Khidekel teaches: 

The method as claimed in claim 1 , wherein the role signature to be assigned is ascertainable on the basis 
of the data ascertained in the security check, by checking a role signature memory. 

[see paragraph 0026, "database 24" 
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As per claims 6, 14, 22, 28, 34, Khidekel teaches: 

The method as claimed in claim 4, wherein the user signature memory is checked using a data 
telecommunication link. 

[see paragraph 0028, "communications can be sent over a secure socket layer"] 

As per claim 7, Khidekel teaches: 

The method as claimed in claim 1 , the at least one role signature is a plurality of role signatures.. 

[see paragraph 0039, wherein specified physicians may be permitted to view patient records as 
well as modify them while administrative staff may only view patient records] 

As per claims 8, 15, and 36, Khidekel teaches: 

The method as claimed in claim 1 , wherein the data are medically relevant, wherein the users are medical 
specialist personnel, and wherein the roles are formed in line with the workgroups within the medical 
specialist personnel. 

[see paragraph 0025] 
As per claim 41, Khidekel teaches: 

The method as claimed in claim 40, wherein an access operation can be reconstructed by specifying at 
least one of the user's former and current role signatures. 

[see paragraph 41, resubmit credentials for re-authentication. 
As per claims 43-46, Ballantyne teaches: 

The method as claimed in claim 1 , wherein the user signature memory and the role signature memory are 
maintained independently from the audit memory. 

[see col. 15, lines 40-67, and col. 16, lines 1-13] 



3. THIS ACTION IS MADE FINAL. 

in 37 CFR 1.136(a). 



Conclusion 

Applicant is reminded of the extension of time policy as set forth 
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A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory action 
is mailed, and any extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the mailing date of this final action. 

POINTS OF CONTACT 

Any response to this Office Action should be faxed to (571 ) 273-8300 or mailed to: 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Hand-delivered responses should be brought to 

Customer Service Window 
Randolph Building 
401 Dulaney Street 
Alexandria, VA 22314 

Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to Daniel L. Hoang whose telephone number is 571-270-1019. The examiner can normally 
be reached on Monday - Thursday, 8:00 a.m. - 5:00 p.m., EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Nasser Moazzami can be reached on 571 -272-41 95. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
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/Daniel L. Hoang/ 
Examiner, Art Unit 2436 
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i, contact the Electronic Business Center (EBC) 



/Nasser Moazzami/ 

Supervisory Patent Examiner, Art Unit 2436 



